Working for an outsourcing company who require VPN connections to all their clients sees this problem crop up all the time. Where possible a re-addressing of the client network is performed however more often that not a mapped IP range is used.
Using ScreenOS this is simply performed on the conflicting networks firewall by adding a MIP to the tunnel interface and then binding this to the policy.
JUNOS works slightly different but still just as simple. In this example the remote network has the same subnet as our lab 172.16.201.0/24. To enable routing between subnets we are mapping our 172.16.201.0/24 to 192.222.222.0/24. Once completed the remote network will just route 192.222.222.x/24 down the tunnel.
root@host# set security nat static rule-set Overlap_Subnet from zone VPN_Zone
root@host# set security nat static rule-set Overlap_Subnet rule Overlap_Rule1 match destination-address 192.222.222.0/24
root@host# set security nat static rule-set Overlap_Subnet rule Overlap_Rule1 then static-nat prefix routing-instance Trust-VR 172.16.201.0/24
Now this is working we need to consider proxy-ids....
No comments:
Post a Comment